Accepting image files via email from any address.

Question

I am trying to build a service where anybody can send an image file from an email address/client and process it. Think about the service a bit like Flickr showing the image in a dashboard that comes via emails

From a usability standpoint this mechanic offers great deal of advantage but I want to understand the security consequences of such an action.Some concerns are:

• I need to validate all these files as images
• People can probably send a file with an exploit/code that can likely be a problem. But in my case I am mostly going to do a file open and save and let the browser show the image

Am I taking the right approach here? Are there serious consequences that I should be of?

Answer 1

Things you should do and take into consideration.

1. Make sure your mail server is configured for virus scanning, keep it up to date. That'll be the first line of defense.

2. When the email comes in, attempt to process the image in a known rock solid library.

3. Be aware that many emails contain multiple images, some of which may have nothing at all to do with the one they are sending. For example, our company emails all include our logo at the bottom. I'm not exactly sure what the solution is here, but you'll want to take it into consideration.

4. Different email clients handle image attachments, well, differently. Sometimes it's as a normal attachment, sometimes it's embedded in the body. Even within the same client an image might be handled differently depending on if they sent the email as plaint text with attachments or HTML mail.

5. People will test your system. They'll send .js files, they'll send images whose headers are jacked in order to overflow your image processing library...

6. Consider enforcing certain email restrictions such as SPF checks.

7. Be prepared to receive images that are absolutely huge. Today's cameras take very large photos and a lot of people don't know what crop or resize means. You might consider setting a cap of 15MB or larger per email coming into your server. Then, in combination with #2 above, auto resizing images down to something a bit more acceptable.

8. Determine the mechanism you actually want to use to notify the user of any issues. Bear in mind that this mechanism is subject to abuse. For example, consider a spam message sent to your machine with reply-to headers going to a victim.

If you are using .net, see this for a possible way to confirm a file is an image: How can I determine if a file is an image file in .NET?

Answer 2

I'm not saying this is 100% secure (can you ever be 100% secure?) but here is something that you can try:

Lets say that you have an alias on your postfix (or whatever mail system) that redirects incoming emails to a php/bash/python script for further processing.

The first thing I would do is use an image manipulation library (say imagemagick) and convert all incoming files to a .png format or whatever, and only proceed further with your logic if the conversion is successful.

This way, if someone sends you any malicious attachments (php exploit, jar's, swf's, anything) the conversion will fail, and hence it will be disregarded by your system.

Edit: ImageMagick has the "identify" command which does exactly what you want.